Tech Tip: Ensure systems have the necessary level of protection

Learn how to ensure systems have the necessary level of protection.

By Mike Talon

When developing a disaster recovery plan, the typical first step is determining what exactly the organization needs to protect. Most organizations can divide systems into two main groups: noncritical systems that they can restore from tape and critical systems that can't withstand the several hours of downtime required for a tape restore.

Determining which systems require protection and evaluating their level of required protection can offer organizations a solid basis for creating proper budgets. Making this differentiation can also help you make a better case for your budget to upper management.

The process of determining your organization's data protection needs centers around two key metrics.

  • Recovery time objective (RTO): This metric signifies how long a system may be offline before it severely impacts business.
  • Recovery point objective (RPO): This metric indicates how much data loss is acceptable during a disaster.

Establishing RTOs and RPOs will take some time--don't expect to nail down these numbers after a one-hour meeting. In addition, it almost always requires getting input from both technical and nontechnical staff.

RTOs are typically the easier of the two numbers to figure out. Start by asking the individual business units for estimates of how much downtime their data systems can suffer before it seriously affects their ability to continue business.

For most critical Windows-based systems, RTOs generally range from 30 minutes to two hours. RTOs for UNIX-based systems are often somewhat shorter, due to their ability to perform more advanced clustering and faster failover. For noncritical data systems, RTOs typically range from six hours to up to several days.

Determining which systems need which RTOs allows organizations to manage their budgets and focus their funds on the more expensive (and generally faster) recovery systems only where it's truly necessary.

RPOs can be somewhat harder to gauge. Because physically stored data often has no specific numeric value outside of the context of doing business, it's difficult to assign it a dollar value before the actual loss occurs. Most businesses have no idea how much data is actually worth until they lose it, which can be a very costly mistake to make in the event of a serious disaster.

For critical data systems, RPOs generally range from a few seconds to an hour or so. Noncritical systems can often survive a day's worth of data loss or more, especially if the data is mostly static.

Determining appropriate RTOs and RPOs is generally the first step in the long process of DR planning. But if you neglect this first step, you risk implementing systems that may miss the mark in terms of both protection and budget. Proper planning will ensure that your organization expends the least amount of money while still ensuring the protection it needs.

Mike Talon is an IT consultant and freelance journalist who has worked for both traditional businesses and dot-com startups.